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REMARKS 

Claims 1-26 are pending in the application and are now presented for examination. 
Claims 1-6, 8-17, and 19-26 have been amended. No new matter has been added. Claims 1, 10, 
12, 21 and 23-26 are independent. 

On page 2 of the Office Action, Claims 1-26 were rejected under 35 U.S.C. §103(a) as 
being unpatentable over U.S. Patent No. 6,782,421 ("Soles") and U.S. Patent No. 6,185,689 
("Todd"). To establish a prima facie case of obviousness, three basic criteria must be met. First, 
there must be some suggestion or motivation, either in the references themselves or in the 
knowledge generally available to one of ordinary skill in the art, to modify the reference or to 
combine reference teachings. Second, there must be a reasonable expectation of success. 
Finally, the prior art reference (or references when combined) must teach or suggest all the claim 
limitations. 

There Is No Motivation for One of Ordinary Skill to Combine Cited References 

As an initial matter, Applicants respectfully assert that one of ordinary skill in the art 
would not in any way be prompted to combine the references. Soles discloses "a system for 
evaluating the performance of a computer implemented application, wherein the performance is 
measured in terms of availability," (Col. 2:38-41)(emphasis added). The assessment of 
performance in terms of availablilty as disclosed in Soles is further exemplified, as Soles 
discloses, "a service level analysis module. . .for calculating the actual service level and the 
defined service level and for comparing the actual service level to the defined service level," 
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(Col. 2:49-52)(emphasis added) and further, "the present invention may also be used to evaluate 
the performance of an application against the capability of the application architecture,"(Col. 
2:64-67)(emphasis added). In short, Soles discloses a system that compares the actual 
performance of an application against the capacity or availability of the application. 

Todd, on the other hand, discloses "a security self assessment method operable over the 
open internet, for assessing the vulnerability of one or more hosts, while minimizing the 
possibility that the method can be used by unauthorized persons to identify security 
shortcomings in another party's host or network," (Col. 4:7-12)(emphasis added). 

There is nothing in either reference that would prompt one of ordinary skill in the art to 
want to combine these two references, as Todd fails to include any disclosure whatsoever 
regarding assessing application performance as compared to capacity, and similarly, Soles fails 
to make any mention or suggestion of assessing security vulnerabilities. In fact, the only 
reference to 'security' in the exhaustive specification of Soles is with respect to a 'best practices 
survey' (Col. 8:63-Col. 9:13) for "evaluating business risk associated with the implementation 
and operation of an application," (Col. 8:56-59)(emphasis added). Motivation and a prompting 
for combining references can not be found merely because two references generally relate to the 
ubiquitous and general field of computing systems. Contrary to the Examiner's statement on 
Page 4 of the Office Action that "it would have been obvious to one of ordinary skill in the art to 
use the additional security assessment of Todd Sr et al. for scanning a host. . .," there is simply no 
motivation or suggestion of any desirability whatsoever either in the references themselves or to 
one of ordinary skill to combine the application performance assessment of Soles with the 
internet security assessment of Todd. For at least this reason, Applicants believe that the 
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combination of Soles with Todd is improper. Applicants therefore request the withdrawal of the 
rejection to Claims 1-26. 

The Cited References Fail to Disclose All Features of The Independent Claims 

Even if the cited references were properly combinable, Soles and Todd, whether 
considered alone or in combination, fail to disclose each and every element of Applicants' 
claimed invention. Amended independent Claims 1,12, and 23, and 25 each recite, in part, 
"performing a security vulnerability assessment on a system." Amended independent Claims 
10, 21, 24 and 26 each recite, in part, "entering in a database security vulnerabilities identified 
during a security vulnerability assessment," (emphasis added). 

Pages 2 and 3 of the Office Action cite several portions of the Soles reference as 
disclosing the various elements of Applicants' claims with respect to security assessment. 
However, as stated above, Soles fails to make any disclosure whatsoever regarding assessing 
security vulnerability, let alone the additional various elements of Applicants' claimed methods 
and apparatuses related to such assessment. Although Soles does disclose "a vulnerabilities 
analysis module 28," Soles explicitly discloses that the system has "a vulnerabilities analysis 
module 28 for evaluating business risk associated with the implementation and operation of an 
application,"(Col. 8:56-59)(emphasis added). Evaluating business risk of the implementation of 
an application is unrelated and non-analogous to assessing a security vulnerability, as stated in 
Applicants' amended independent claims. 

Todd was not cited as disclosing these features of Applicants' claimed invention, and 
Applicants agree that Todd indeed does not contain any such teaching or disclosure. For at least 
this reason, amended independent Claims 1, 10, 12, 21 and 23-26 are believed to be patentable 
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over Soles and Todd, whether considered separately or in combination. Applicants therefore 
respectfully request that the rejection of these claims be withdrawn. 

Also, each of Applicants' independent amended Claims 1, 10, 12, 21 and 23-26 recite, in 
part either "determining a security vulnerability score" or "assigning a security vulnerability 
factor." As Soles fails to make any disclosure regarding security assessment, it clearly cannot 
disclose "determining a security vulnerability score" or "assigning a security vulnerability 
factor." Further, Todd was not cited as disclosing these claimed features, and indeed Todd fails 
to make any disclosure or suggestion of these features claimed by Applicants. For at least this 
reason, amended independent Claims 1, 10, 12, 21 and 23-26 are believed to be patentable over 
Soles and Todd, whether considered separately or in combination. Applicants therefore 
respectfully request that the rejection of these claims be withdrawn. 

In addition, amended independent Claims 1, 12, 23 and 25 each recite, in part, 
"determining a time to fix a security vulnerability identified by the security vulnerability 
assessment of the system based on the determined security vulnerability score," (emphasis 
added). Neither Soles nor Todd teach or suggest determining a security vulnerability score in the 
first place, let alone a time to fix such a vulnerability based on score. Page 3 of the Office 
Action recognizes that Soles "fails to explicitly disclose" a time to fix a vulnerability, but states 
that Todd discloses the claimed step at Col. 7, lines 1-7. However, the cited passage of the Todd 
reference states: 

"The report file and the results of the security assessment are maintained only for a 
predetermined time period, such as a week, during which time the user can attempt to fix security 
vulnerabilities that were found, and run the assessment again. Limiting the time that the report is 
available and generating a randomized long file name for the URL that identifies the report, 
minimize the potential that another party may obtain access to the security assessment report. 



11 



Application No. 10/759,241 
Filed: January 16, 2004 
Attorney Docket No.: END920030052US1 (1397-9U) 



The report file is unique to the security inquiry, user and arbitrary host, and is updated each time 
the assessment is run. The report file is then deleted or made inaccessible at a predetermined 
time after initiation of the initial security inquiry," (Col. 7:1-12). 

As stated, the predetermined time limit is to prevent others from obtaining access to the 
security report. Although the timing is "predetermined," Todd fails to disclose or suggest any 
correlation of the timing to the severity or 'vulnerability score' of the report. Rather, the time 
limit for report availability appears uniform and arbitrary regardless of the severity of the report, 
and is certainly not "based on the determined security vulnerability score" as claimed by 
Applicants. As such, in addition to the reasons stated above, Claims 1, 12, 23 and 25 are further 
believed to be patentable over Soles and Todd, as these references considered either separately or 
in combination fail to teach each and every feature of Applicants' claims. 

Accordingly, (1) as there is no motivation to combine the Soles reference with the Todd 
reference and one of ordinary skill in the art would not be prompted to combine the elements of 
these references, and (2) as the references, whether considered alone or in combination, fail to 
disclose each and every element of amended independent Claims 1, 10, 12, 21 and 23-26, the 
rejection under 35 U.S.C. § 103(a) is unsupported by the art and the claims are believed to be 
patentable. As such, Applicants' respectfully request a withdrawal of the rejection. 

Claims 2-9, 11, 13-20, and 22 each depend, directly or indirectly, from one or another of 
independent Claims 1, 10, 12 and 21. Claims 2-9, 11, 13-20, and 22 recite additional limitations, 
which, in conformity with the features of their corresponding independent claim, are not 
disclosed or suggested by the art of record. Accordingly, Claims 2-9, 11, 13-20, and 22 are 
believed patentable at least by virtue of the patentability of their respective base independent 
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claims. Applicants therefore request that the rejection to Claims 2-9, 11, 13-20, and 22 be 
withdrawn. 

For all of the above reasons, the claim objections are believed to have been overcome 
placing Claims 1-26 in condition for allowance, and reconsideration and allowance thereof is 
respectfully requested. 

The Examiner is encouraged to telephone the undersigned to discuss any matter that 
would expedite allowance of the present application. 

The Commissioner is hereby authorized to credit overpayments or charge payment of any 
additional fees associated with this communication to Deposit Account No. 090457. 



Respectfully submitted, 
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